feat: set up git hooks

.gitignore

@@ -8,3 +8,5 @@ result
 result-*
 
 nixos-efi-vars.fd
+
+/.pre-commit-config.yaml

flake.lock

@@ -83,6 +83,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -138,6 +154,49 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769939035,
+        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -579,6 +638,7 @@
         "colmena": "colmena",
         "disko": "disko",
         "firefox-addons": "firefox-addons",
+        "git-hooks": "git-hooks",
         "home-manager": "home-manager",
         "nix-on-droid": "nix-on-droid",
         "nix-secrets": "nix-secrets",

flake.nix

@@ -43,6 +43,10 @@
       url = "github:zhaofengli/colmena";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    git-hooks = {
+      url = "github:cachix/git-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -52,6 +56,7 @@
       home-manager,
       nix-on-droid,
       nixgl,
+      git-hooks,
       ...
     }@inputs:
     let
@@ -61,6 +66,10 @@
       hostDirNames = utils.dirNames ./hosts;
       system = "x86_64-linux";
       dotsPath = ./dots;
+      gitHooks = import ./git-hooks.nix {
+        inherit nixpkgs git-hooks system;
+        src = ./.;
+      };
     in
     {
       nix.nixPath = [
@@ -128,6 +137,10 @@
           ;
       };
 
+      checks.${system} = gitHooks.checks;
+      formatter.${system} = gitHooks.formatter;
+      devShells.${system} = gitHooks.devShells;
+
       images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
     };
 }

git-hooks.nix

@@ -0,0 +1,44 @@
+{
+  nixpkgs,
+  git-hooks,
+  system,
+  src,
+}:
+let
+  pkgs = nixpkgs.legacyPackages.${system};
+
+  pre-commit-check = git-hooks.lib.${system}.run {
+    inherit src;
+    hooks = {
+      nixfmt.enable = true;
+      statix.enable = true;
+      deadnix.enable = true;
+    };
+  };
+in
+{
+  checks = {
+    inherit pre-commit-check;
+  };
+
+  formatter =
+    let
+      inherit (pre-commit-check) config;
+      inherit (config) package configFile;
+      script = ''
+        ${pkgs.lib.getExe package} run --all-files --config ${configFile}
+      '';
+    in
+    pkgs.writeShellScriptBin "pre-commit-run" script;
+
+  devShells = {
+    default =
+      let
+        inherit (pre-commit-check) shellHook enabledPackages;
+      in
+      pkgs.mkShell {
+        inherit shellHook;
+        buildInputs = enabledPackages;
+      };
+  };
+}

home/modules/git/default.nix

@@ -21,6 +21,6 @@
     };
 
     programs.gh.enable = config.github.enable;
-    home.packages = with pkgs; lib.optionals (config.gitlab.enable) [ glab ];
+    home.packages = lib.optionals config.gitlab.enable [ pkgs.glab ];
   };
 }

hosts/eetion/default.nix

@@ -13,26 +13,30 @@ in
     ../../modules/ssh/hardened-openssh.nix
   ];
 
-  ssh.username = username;
+  ssh = {
-  ssh.publicHostname = "eetion";
+    inherit username;
-  ssh.authorizedHosts = [
+    publicHostname = "eetion";
-    "andromache"
+    authorizedHosts = [
-    "astyanax"
+      "andromache"
-  ];
+      "astyanax"
+    ];
+  };
 
   boot.loader = {
     grub.enable = false;
     generic-extlinux-compatible.enable = true;
   };
 
-  networking.hostName = hostName;
+  networking = {
-  networking.networkmanager.enable = true;
+    inherit hostName;
-  networking.firewall = {
+    networkmanager.enable = true;
-    enable = true;
+    firewall = {
-    allowedTCPPorts = [
+      enable = true;
-      80
+      allowedTCPPorts = [
-      443
+        80
-    ];
+        443
+      ];
+    };
   };
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -47,52 +51,54 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  services.openssh = {
+  services = {
-    enable = true;
+    openssh = {
-    harden = true;
+      enable = true;
+      harden = true;
+    };
+
+    paperless = {
+      enable = true;
+      passwordFile = "/etc/paperless-admin-pass";
+      settings = {
+        PAPERLESS_URL = "http://paperless.eetion";
+      };
+    };
+
+    # added (OPNSense) domain override to make this work on LAN
+    #
+    # host: eetion
+    # domain: <domain (e.g. lan)>
+    # ip address: <eetion-ip>
+    #
+    # host: paperless
+    # domain: eetion
+    # ip address: <eetion-ip>
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts = {
+        "eetion" = {
+          default = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:5006";
+          };
+        };
+        "paperless.eetion" = {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:28981";
+          };
+        };
+      };
+    };
   };
 
   environment.etc."paperless-admin-pass".text = "admin";
 
-  services.paperless = {
-    enable = true;
-    passwordFile = "/etc/paperless-admin-pass";
-    settings = {
-      PAPERLESS_URL = "http://paperless.eetion";
-    };
-  };
-
-  # added (OPNSense) domain override to make this work on LAN
-  #
-  # host: eetion
-  # domain: <domain (e.g. lan)>
-  # ip address: <eetion-ip>
-  #
-  # host: paperless
-  # domain: eetion
-  # ip address: <eetion-ip>
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    virtualHosts = {
-      "eetion" = {
-        default = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:5006";
-        };
-      };
-      "paperless.eetion" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:28981";
-        };
-      };
-    };
-  };
-
   virtualisation = {
     podman.enable = true;
     oci-containers = {

hosts/eetion/hard.nix

@@ -5,10 +5,12 @@
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ ];
+  boot = {
-  boot.initrd.kernelModules = [ ];
+    initrd.availableKernelModules = [ ];
-  boot.kernelModules = [ ];
+    initrd.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/NIXOS_SD";

hosts/hecuba/default.nix

@@ -1,8 +1,5 @@
 {
-  lib,
   inputs,
-  outputs,
-  config,
   pkgs,
   ...
 }:
@@ -23,12 +20,14 @@ in
   ];
 
   networking.hostName = hostName;
-  ssh.username = username;
+  ssh = {
-  ssh.publicHostname = "server.hektormisplon.xyz";
+    inherit username;
-  ssh.authorizedHosts = [
+    publicHostname = "server.hektormisplon.xyz";
-    "andromache"
+    authorizedHosts = [
-    "astyanax"
+      "andromache"
-  ];
+      "astyanax"
+    ];
+  };
 
   docker.user = username;
 

modules/backups/default.nix

@@ -28,23 +28,25 @@ in
   };
 
   config = {
-    sops.secrets.b2_bucket_name = { };
+    sops = {
+      secrets.b2_bucket_name = { };
 
-    sops.templates."restic/repo-${config.networking.hostName}" = {
+      templates."restic/repo-${config.networking.hostName}" = {
-      content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
+        content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
-    };
+      };
 
-    sops.templates."restic/b2-env-${config.networking.hostName}" = {
+      templates."restic/b2-env-${config.networking.hostName}" = {
-      content = ''
+        content = ''
-        B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
+          B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
-        B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
+          B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
-      '';
+        '';
+      };
     };
 
     services.restic.backups.home = {
       repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
-      passwordFile = cfg.passwordFile;
+      inherit (cfg) passwordFile;
-      paths = cfg.paths;
+      inherit (cfg) paths;
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;